samba - Feb 2020 - Failover DC did not work when Main DC failed

Hello Kris,


On 03/02/2020 07:15, Kris Lou via samba wrote:
> Unless it's_not_  a global catalog.  Check your SRV records again,
there
> should be corresponding "_gc" records (similar to
"_ldap") for each DC.
Checked and both DCs pass all tests:-

host -t SRV _ldap._tcp.mydomain.com.
host -t SRV _gc._tcp.mydomain.com.
host -t SRV _kerberos._udp.mydomain.com.
host -t A dc3.mydomain.com.
host -t A dc4.mydomain.com.

e.g. (for _gc)

root at dc3.mydomain.com ~ $ (screen) host -t SRV _gc._tcp.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc3.mydomain.com.
_gc._tcp.mydomain.com has SRV record 0 100 3268 dc4.mydomain.com.

> So, based upon the link/graphic I posted earlier:
> * either your 2nd DC isn't being returned as a part of DNS lookups
For the Windows desktops and the QNAP server, they have the IP addresses for
both DCs in their respective DNS settings.

For a Windows desktop tested this morning, the command nslookup defaults to DC3
at 192.168.0.218 but when that was "down" DNS queries timed out.

> * or that 2nd DC isn't responding to queries for authentication
Both DCs have this as their Kerberos configuration (/etc/krb5.conf):-

[libdefaults]
         default_realm = MYDOMAIN.COM
         dns_lookup_realm = false
         dns_lookup_kdc = true

If I run this command, authentication works:-

smbclient //dc4/netlogon -U jbloggs

> * or the client isn't storing/retrieving the 2nd DC's availability
for
> future lookups
If it's in Windows network settings or a QNAP's resolver file, where
else should it be?!

> ** could be related to DNS? storage via registry-equivalents? no idea here,
> but putting it as "client side"
I am happy to accept any suggestions here. There is no point in having multiple
DNS servers for Windows or another DC joined for failover if none of it works as
it is supposed to.

> FWIW, I checked my file server (winbind, not sssd):
> * checked the logonserver (which DC it was authenticating against)
> * stopped samba on that DC
> * checked logonserver again -- and it had switched to a different one.  So
> 4.10 Louis winbind works (for me).
Winbind is definitely running on both DCs and I followed the Wiki instructions
to the letter.

Both DCs are talking to one another for replication and I can authenticate
(manually using kinit) on each DC but when one virtual machine fails to boot
then problems happen.

Thanks.

Paul

>
> Do you have command line for doing this?
>From windows:
echo %logonserver%
nltest /dsgetdc:<domain>
>From a *nix domain member (i.e. client, not DC), using winbind:
winbind --getdcname=<domain>
winbind --ping-dc

For the Windows desktops and the QNAP server, they have the IP
addresses
> for both DCs in their respective DNS settings.
> For a Windows desktop tested this morning, the command nslookup defaults
> to DC3 at 192.168.0.218 but when that was "down" DNS queries
timed out.

That's probably expected.  I don't think nslookup can query multiple DNS
servers at once.  But is DC4 actually responding to DNS queries?  Compare
"nslookup <domain> <DC3-ip>" and "nslookup
<domain> <DC4-ip>", which will
hopefully tell you that both DC3/DC4 are capable of answering queries.

This DNS timeout on "standard traffic" is probably what you need to
figure
out then.

And I hate to ask, but are both samba and bind set to automatically start
after boot (on the DC's)?

On 03/02/2020 18:49, Kris Lou via samba wrote:
>> Do you have command line for doing this?
>
>  From windows:
> echo %logonserver%
> nltest /dsgetdc:<domain>
>
>  From a *nix domain member (i.e. client, not DC), using winbind:
> winbind --getdcname=<domain>
> winbind --ping-dc
Ah, I think you mean 'wbinfo' not 'winbind' as in 'wbinfo 
--getdcname=<domain>' and it does work on a Samba DC ;-)

Rowland

On 03/02/2020 18:49, Kris Lou via samba wrote:
> 
> From windows:
> echo %logonserver%
\\DC3

> nltest /dsgetdc:<domain>
DC:\\DC3
Address: \\192.168.0.218
Dom Guid: bla bla bla
...
The command completed successfully.

>  From a *nix domain member (i.e. client, not DC):
> wbinfo --getdcname=<domain>
> winbind --ping-dc
wbinfo --getdcname=MYDOMAIN
DC3

wbinfo --ping-dc
checking the NETLOGON for domain[mydomain] dc connection to
"dc3.mydomain.com" succeeded

> That's probably expected.  I don't think nslookup can query
multiple DNS
> servers at once.  But is DC4 actually responding to DNS queries?  Compare
> "nslookup <domain> <DC3-ip>" and "nslookup
<domain> <DC4-ip>", which will
> hopefully tell you that both DC3/DC4 are capable of answering queries.
Yep, DC4 is responding to queries.

> This DNS timeout on "standard traffic" is probably what you need
to figure
> out then.
OK.

> And I hate to ask, but are both samba and bind set to automatically start
> after boot (on the DC's)?
Yup.

Paully

On 03/02/2020 18:49, Kris Lou via samba wrote:
> 
> From windows:
> echo %logonserver%
\\DC3

> nltest /dsgetdc:<domain>
DC:\\DC3
Address: \\192.168.0.218
Dom Guid: bla bla bla
...
The command completed successfully.

>  From a *nix domain member (i.e. client, not DC):
> wbinfo --getdcname=<domain>
> winbind --ping-dc
wbinfo --getdcname=MYDOMAIN
DC3

wbinfo --ping-dc
checking the NETLOGON for domain[mydomain] dc connection to
"dc3.mydomain.com" succeeded

> That's probably expected.  I don't think nslookup can query
multiple DNS
> servers at once.  But is DC4 actually responding to DNS queries?  Compare
> "nslookup <domain> <DC3-ip>" and "nslookup
<domain> <DC4-ip>", which will
> hopefully tell you that both DC3/DC4 are capable of answering queries.
Yep, DC4 is responding to queries.

> This DNS timeout on "standard traffic" is probably what you need
to figure
> out then.
OK.

> And I hate to ask, but are both samba and bind set to automatically start
> after boot (on the DC's)?
Yup.

Paully

-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba